Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

delimited by comma but not .csv file

kavana
Explorer
‎02-14-2017 06:26 PM

I have a jobinfo.log file in my server, it was delimited by comma but not [xxxx.csv] file.
So it can not be added into index just like [.csv].

I don't want to change the extension from [.log] to [.csv],but the extension has to be changed ?

Below is the jobinfo.log file

80925610,00004105,00000000,10660,"20170213140245","20170213140245",1,0,0,"ro,o,t","root"
80925612,00004106,00000000,10660,"20170213140250","20170213140250",1,0,0,"ro,o,t","root"
80925626,00004125,00000000,10660,"20170213140411","20170213140411",1,0,0,"ro,o,t","root"

You can see that the comma also in double quotation, so if the extension is not [.csv] then the result will be below

1,0,0,"ro,o,t","root" -> 1,0,0,ro,o,t,root #the string "ro,o,t" also be delimited by comma

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎02-16-2017 12:07 PM

It doesn't have to be a *.csv file to be able to use the sourcetype definition (event breaking, timestamp recognition etc) of built-in sourcetype csv. When you setup the data monitoring (input.conf), just explicitly assign the sourcetype as "csv".

0 Karma
Reply

kavana
Explorer
‎02-16-2017 04:16 PM

thank you so much!

it's worked !

0 Karma
Reply

DalJeanis
Legend
‎02-16-2017 11:24 AM

For this source, set up your props.conf with these and it should extract correctly.

FIELD_DELIMITER = ,
FIELD_QUOTE = "
0 Karma
Reply

JDukeSplunk
Builder
‎02-16-2017 10:07 AM

So are you just trying to bring this data in so that it will be separated into fields like a csv would be?

In that case bring the data in as a sourcetype (preferably unique sourcetype name), open it in search, expand one line, click "Event Actions" and use the field extractor. Choose "delimiters" , choose comma, and name the fields. This will create a transforms and props.conf for this sourcetype.

Or edit the transforms & props.conf files
https://answers.splunk.com/answers/170251/how-to-extract-two-fields-separated-by-delimiter-c.html

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top